& Friends on Technology Policy

On Legal Challenges to Advancing Cybersecurity

Georgetown University’s Institute for Law, Science, and Global Security hosted a discussion this morning between the Institute’s Director, Dr. Catherine Lotrionte, and US Cyber Command’s Legal Counsel, Col. Gary Brown*, on the topic of “Legal Challenges to Advancing Cybersecurity.” The purpose of the discussion was to highlight some of the lessons learned from a conference held last year on the same topic, in which policymakers and other leaders in cyber attempted to tackle the legal complexities of cybersecurity.
Some of the key points that Lotrionte and Brown came away with from last year’s conference included: multiple frameworks may be necessary to addressing the complexities of cybersecurity, instead of a single silver-bullet solution; there is a need for scenario-based planning rather than planning based largely on theoretical discussions; privacy and security should not be treated as distinct subjects in the cyber realm but must instead be addressed in tandem; and cybersecurity must be seen as a collaborative endeavor, not only domestically but internationally as well.

A key issue Brown identified is the development of and adherence to a common terminology. He pointed to the example of the term “cyberattacks.” What exactly are they? Often in the media, different types of conduct are lumped together under the umbrella of cyberattacks, but there are key distinctions amongst those varying actions – distinctions of great importance for the military, for policymakers, and, of course, for the lawyers. In this vein, Brown pointed out how even when looking at specific scenarios, such as cyber disruptions aimed at critical infrastructure like power grids, ambiguities remain.

For example, would a nation-stated backed disruption that results in a six-hour brownout constitute a cyberattack for the purposes of international law? What about a ten minute blackout? Can the conclusion that these outcomes amount to an attack be sustained if there’s no physical damage or loss of life resulting from the incident? There are no clear answers to those questions. An incident like the Stuxnet deployment, on the other hand, which caused damage to centrifuges at the Iranian nuclear facility at Natanz, is a pretty solid example of a use of force under international law.

Part of the problem with these ambiguities is that they arise from the very nature of the technology itself. Brown observed that many malicious cyber “acts” begin with an espionage element – that is, surreptitiously accessing another’s system. An attacker can basically do whatever they want at that point, and it conceivably takes very little to switch from exfiltration of information to degradation or destruction of that information, or of the system itself. This leads to difficulties at the policy level, when attempting to decide what permissible options exist for responding to such incidents.

When asked about a potential international norm for states being responsible for the packets that leave their borders, Brown answered that while there’s a certain amount of logic to that approach, the potential exists for “information sensitive” regimes to use such a norm as an excuse for further cracking down on the web activities of dissidents and others in those countries.

On the topic of cyberespionage and the role of countries like China in the wholesale theft of intellectual property from the US, Lotrionte indicated that there is a sense that the US is beginning to take steps to address the issue in a more vocal manner. Lotrionte pointed to two reports (here and here) recently published documenting China’s espionage efforts as evidence of this trend. In response to a question about how to counter the espionage efforts, she suggested the US could take China to the WTO as one possible approach that could do some good.